Managing Risk & Information Security

Managing Risk
and Information
Security
Protect to Enable
—
Second Edition
—
Malcolm W Harkins

Managing Risk and
Information Security
Protect to Enable
Second Edition
Malcolm W. Harkins

Managing Risk and Information Security: Protect to Enable
Malcolm W. Harkins
Folsom, California, USA
ISBN-13 (pbk): 978-1-4842-1456-5 ISBN-13 (electronic): 978-1-4842-1455-8
DOI 10.1007/978-1-4842-1455-8
Library of Congress Control Number: 2016949414
Copyright © 2016 by Malcolm W. Harkins
ApressOpen Rights: You have the right to copy, use and distribute this Work in its entirety, electronically without
modification, for non-commercial purposes only. However, you have the additional right to use or alter any source
code in this Work for any commercial or non-commercial purpose which must be accompanied by the licenses in
(2) and (3) below to distribute the source code for instances of greater than 5 lines of code. Licenses (1), (2) and (3)
below and the intervening text must be provided in any use of the text of the Work and fully describes the license
granted herein to the Work.
(1) License for Distribution of the Work: This Work is copyrighted by Malcolm Harkins, all rights reserved. Use
of this Work other than as provided for in this license is prohibited. By exercising any of the rights herein, you
are accepting the terms of this license. You have the non-exclusive right to copy, use and distribute this English
language Work in its entirety, electronically without modification except for those modifications necessary for
formatting on specific devices, for all non-commercial purposes, in all media and formats known now or hereafter.
While the advice and information in this Work are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions
that may be made. The publisher makes no warranty, express or implied, with respect to the material contained
herein.
If your distribution is solely Apress source code or uses Apress source code intact, the following licenses (2) and (3)
must accompany the source code. If your use is an adaptation of the source code provided by Apress in this Work,
then you must use only license (3).
(2) License for Direct Reproduction of Apress Source Code: This source code, from Intel® Trusted Execution
Technology for Server Platforms, ISBN 978-1-4302-6148-3 is copyrighted by Apress Media, LLC, all rights reserved.
Any direct reproduction of this Apress source code is permitted but must contain this license. The following license
must be provided for any use of the source code from this product of greater than 5 lines wherein the code is
adapted or altered from its original Apress form. This Apress code is presented AS IS and Apress makes no claims
to, representations or warrantees as to the function, usability, accuracy or usefulness of this code.
(3) License for Distribution of Adaptation of Apress Source Code: Portions of the source code provided are used
or adapted from Intel® Trusted Execution Technology for Server Platforms, ISBN 978-1-4302-6148-3 copyright
Apress Media LLC. Any use or reuse of this Apress source code must contain this License. This Apress code is made
available at Apress.com/9781484214565 as is and Apress makes no claims to, representations or warrantees as to
the function, usability, accuracy or usefulness of this code.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every
occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion
and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this
publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is
not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions
that may be made. The publisher makes no warranty, express or implied, with respect to the material contained
herein.
Cover image designed by Freepik.
Managing Director: Welmoed Spahr
Lead Editor: Robert Hutchinson
Development Editor: James Markham
Editorial Board: Steve Anglin, Pramila Balen, Aaron Black, Louise Corrigan, Jonathan Gennick, Robert
Hutchinson, Celestin Suresh John, Nikhil Karkal, James Markham, Susan McDermott, Matthew Moodie,
Natalie Pao, Gwenan Spearing
Coordinating Editor: Melissa Maldonado
Copy Editor: Mary Behr
Compositor: SPi Global
Indexer: SPi Global
Artist: SPi Global
Distributed to the book trade worldwide by Springer Science+Business Media New York,
233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail
orders-ny@springer-sbm.com, or visit www.springer.com. Apress Media, LLC is a California LLC
and the sole member (owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc).
SSBM Finance Inc is a Delaware corporation.
For information on translations, please e-mail rights@apress.com, or visit www.apress.com.
Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use. eBook
versions and licenses are also available for most titles. For more information, reference our Special Bulk Sales–eBook
Licensing web page at www.apress.com/bulk-sales.
Any source code or other supplementary materials referenced by the author in this text is available
to readers at www.apress.com. For detailed information about how to locate your book’s source code, go to www.
apress.com/source-code/.
Printed on acid-free paper

iii
About ApressOpen
What Is ApressOpen?
• ApressOpen is an open access book program that publishes
high-quality technical and business information.
• ApressOpen eBooks are available for global, free,
noncommercial use.
• ApressOpen eBooks are available in PDF, ePub, and Mobi formats.
• The user friendly ApressOpen free eBook license is presented on
the copyright page of this book.

This book is dedicated to my family.

vii
Contents at a Glance
Foreword ......................................................................................... xv
Praise for the second edition of Managing Risk and
Information Security...................................................................... xvii
About the Author ............................................................................ xxi
Acknowledgments........................................................................ xxiii
Preface ...........................................................................................xxv
■Chapter 1: Introduction .................................................................. 1
■Chapter 2: The Misperception of Risk .......................................... 17
■Chapter 3: Governance and Internal Partnerships:
How to Sense, Interpret, and Act on Risk..................................... 31
■Chapter 4: External Partnerships: The Power of Sharing
Information................................................................................... 49
■Chapter 5: People Are the Perimeter ............................................ 65
■Chapter 6: Emerging Threats and Vulnerabilities:
Reality and Rhetoric..................................................................... 81
■Chapter 7: A New Security Architecture to Improve
Business Agility............................................................................ 99
■Chapter 8: Looking to the Future: Emerging
Security Capabilities .................................................................. 117

■ CONTENTS AT A GLANCE
viii
■Chapter 9: Corporate Social Responsibility: The Ethics of
Managing Information Risk........................................................ 129
■Chapter 10: The 21st Century CISO ............................................ 139
■Chapter 11: Performance Coaching............................................ 155
■Appendix A: References.............................................................. 171
Index.............................................................................................. 181

ix
Contents
Foreword ......................................................................................... xv
Praise for the second edition of Managing Risk and
Information Security...................................................................... xvii
About the Author ............................................................................ xxi
Acknowledgments........................................................................ xxiii
Preface ...........................................................................................xxv
■Chapter 1: Introduction .................................................................. 1
Protect to Enable®
................................................................................... 5
Building Trust............................................................................................................8
Keeping the Company Legal: The Regulatory Flood .................................................8
The Rapid Proliferation of Information, Devices, and Things..................................12
The Changing Threat Landscape ............................................................................13
A New Approach to Managing Risk ........................................................................16
■Chapter 2: The Misperception of Risk .......................................... 17
The Subjectivity of Risk Perception....................................................... 18
How Employees Misperceive Risk......................................................... 18
The Lure of the Shiny Bauble..................................................................................20
How Security Professionals Misperceive Risk ...................................... 20
Security and Privacy...............................................................................................22
How Decision Makers Misperceive Risk ............................................... 23

■ CONTENTS
x
How to Mitigate the Misperception of Risk ........................................... 24
Uncovering New Perspectives During Risk Assessments.......................................25
Communication Is Essential.................................................................. 26
Building Credibility .................................................................................................28
■Chapter 3: Governance and Internal Partnerships:
How to Sense, Interpret, and Act on Risk..................................... 31
Information Risk Governance................................................................ 32
Finding the Right Governance Structure ............................................... 34
Building Internal Partnerships............................................................... 37
Legal.......................................................................................................................38
Human Resources ..................................................................................................42
Finance...................................................................................................................43
Corporate Risk Management..................................................................................44
Privacy....................................................................................................................45
Corporate Security..................................................................................................45
Business Group Managers......................................................................................46
Conclusion............................................................................................. 47
■Chapter 4: External Partnerships: The Power of Sharing
Information................................................................................... 49
The Value of External Partnerships ....................................................... 51
External Partnerships: Types and Tiers.................................................. 52
1:1 Partnerships .....................................................................................................55
Communities...........................................................................................................57
Community Characteristics ....................................................................................57
Community Goals....................................................................................................59
Sharing Information about Threats and Vulnerabilities...........................................59
Sharing Best Practices and Benchmarking ............................................................60

■ CONTENTS
xi
Inﬂuencing Regulations and Standards..................................................................62
Corporate Citizenship .............................................................................................63
Conclusion............................................................................................. 63
■Chapter 5: People Are the Perimeter ............................................ 65
The Shifting Perimeter .......................................................................... 65
Compliance or Commitment?................................................................ 66
Examining the Risks.............................................................................. 68
Adjusting Behavior ................................................................................ 69
A Model for Improving Security Awareness .......................................... 71
Broadening the Awareness Model......................................................... 74
The Security Beneﬁts of Personal Use .................................................. 74
Roundabouts and Stop Signs ................................................................ 75
The Technology Professional................................................................. 77
Insider Threats....................................................................................... 78
Deter.......................................................................................................................79
Detect .....................................................................................................................79
Discipline................................................................................................................80
Finding the Balance............................................................................... 80
■Chapter 6: Emerging Threats and Vulnerabilities:
Reality and Rhetoric..................................................................... 81
Structured Methods for Identifying Threat Trends................................. 82
The Product Life Cycle Model.................................................................................83
Understanding Threat Agents .................................................................................88
Playing War Games.................................................................................................90
Trends That Span the Threat Landscape ............................................... 91
Trust Is an Attack Surface.......................................................................................91
Barriers to Entry Are Crumbling..............................................................................92

■ CONTENTS
xii
The Rise of Edge Case Insecurity ...........................................................................92
The Enemy Knows the System ...............................................................................93
Key Threat Activity Areas....................................................................... 94
The Industry of Malware.........................................................................................94
The Web Expands to the Internet of Things........................................... 94
Smartphones......................................................................................... 96
Web Applications....................................................................................................97
Conclusion............................................................................................. 97
■Chapter 7: A New Security Architecture to Improve
Business Agility............................................................................ 99
The 9 Box of Controls, Business Trends, and
Architecture Requirements ................................................................. 101
9 Box of Controls ..................................................................................................101
IT Consumerization...............................................................................................102
New Business Needs............................................................................................103
Cloud Computing ..................................................................................................104
Changing Threat Landscape.................................................................................104
Privacy and Regulatory Requirements..................................................................105
New Architecture................................................................................. 105
Trust Calculation...................................................................................................106
Security Zones......................................................................................................109
Balanced Controls.................................................................................................113
Users, Data, and the Internet of Things: The New Perimeters ..............................115
Conclusion........................................................................................... 116
■Chapter 8: Looking to the Future: Emerging
Security Capabilities...................................................................... 117
Internet of Things ................................................................................ 120
Consistent User Experience Across Devices ....................................... 121

■ CONTENTS
xiii
Cloud Computing................................................................................. 122
Big Data Analytics ............................................................................... 122
Artificial Intelligence ........................................................................... 122
Business Benefits and Risks............................................................... 123
New Security Capabilities.....................................................................................123
Baseline Security..................................................................................................124
Context-Aware Security........................................................................................126
Conclusion........................................................................................... 127
■Chapter 9: Corporate Social Responsibility: The Ethics of
Managing Information Risk........................................................ 129
The Expanding Scope of Corporate Social Responsibility................... 130
The Evolution of Technology and Its Impact........................................ 132
Maintaining Society’s Trust ................................................................. 134
The Ethics of Managing Information Risk ........................................... 135
Conclusion........................................................................................... 137
■Chapter 10: The 21st Century CISO ............................................ 139
Chief Trust Officer................................................................................ 139
The Z-Shaped Individual...................................................................... 141
Foundational Skills.............................................................................. 142
Becoming a Storyteller........................................................................ 143
Fear Is Junk Food................................................................................ 144
Accentuating the Positive.....................................................................................145
Demonstrating the Reality of Risk....................................................... 146
The CISO’s Sixth Sense ....................................................................... 147
Taking Action at the Speed of Trust ......................................................................148
The CISO as a Leader .......................................................................... 148
Learning from Other Business Leaders ................................................................149

■ CONTENTS
xiv
Voicing Our Values................................................................................................150
Discussing Information Risk at Board Level.........................................................151
Conclusion........................................................................................... 153
■Chapter 11: Performance Coaching............................................ 155
How to Use the Tables......................................................................... 156
Independence and Initiative .................................................................................157
Efﬁciency and Effectiveness.................................................................................158
Commitment.........................................................................................................160
Professionalism....................................................................................................161
Discipline .............................................................................................................161
Teamwork.............................................................................................................162
Problem-Solving...................................................................................................163
Communication.....................................................................................................164
Goal-Setting..........................................................................................................168
Conclusion........................................................................................... 169
■Appendix A: References.............................................................. 171
Index.............................................................................................. 181

xv
Foreword
Security and first-person shooter video games have one obvious thing in common: if
you’re not continuously moving, you’re dead. In this second edition of Managing Risk
and Information Security, Malcolm Harkins helps us move our thinking into areas of risk
that have become more prominent over the last several years.
Because there is so much new content in this edition, I will focus on a topic that has
risen to greater prominence since the first edition: people are the perimeter. When we
reflect on what has changed in recent years, with an eye to the vulnerabilities that result
in real-world compromises, a pattern emerges: virtually all the major breaches that we
have seen involve manipulation of people. When nearly everyone has heard of phishing,
we have to ask ourselves: why is it still such an effective tool?
The obvious theory is that we haven’t managed people risk as well as we should.
Perhaps we have been standing still and need to learn how to dodge and experiment
with the way we drive better people-security outcomes. Unfortunately, the path is not
100% clear. Unlike technology, the field of influencing human behavior in security is
remarkably complicated and supported by limited research.
Malcolm provides us with a great foundation and framework to build our
“security engagement” functions. I like to use the word “engagement” because it
speaks to how the security organization relates to the workforce in a manner that isn’t
simply bounded by the more traditional term “training and awareness.” Engagement
encompasses anything that shifts the desired behavior outcome in the direction we want
it to go. I have seen remarkable shifts in measured behavior from the use of
non-traditional tools such as security gamification and simulation.
The way Malcolm differentiates between “compliance” and “commitment” is key.
Managing Risk and Information Security is an ever-evolving classic in the field of security
management.
—Patrick Heim
Head of Trust & Security, Dropbox

xvii
Praise for the second edition
of Managing Risk and
Information Security
We assign Malcolm’s book to our Carnegie Mellon CISO-Executive
Program students on their first day of class. It is relevant, pragmatic, and
solution oriented. Our adversaries are changing their practices and so
must we. Malcolm’s book is a terrific tool for the modern-day info sec
leader who wants to shift from security as a restriction to security as a
business enabler.
—Andy Wasser
Associate Dean, CMU Heinz College
Malcolm is a top-notch executive, security leader, and innovator, with
a keen ability to convey thought-provoking and valuable insights. His
latest effort demonstrates remarkable foresight into the skills necessary
to excel as a security leader today and tomorrow.
—Clayton J. Pummill
Executive Director, Security Advisor Alliance
I could go on and on about what I liked specifically—there was
much, including the discussion about governance models and social
responsibility—but here is the net: this is the first time I’ve seen
someone be able to speak to security specifics while also raising the
conversation to a much higher level. It begins to take on an Alvin Toffler
feel from his astounding book, The Third Wave. Malcolm’s thoughts are
philosophically sweeping while at the same time imminently practical.
—Todd Ruback, Esq., CIPP-US/E, CIPT
Chief Privacy & Security Officer & V.P. Legal Affairs, Ghostery

■ PRAISE FOR THE SECOND EDITION OF MANAGING RISK AND INFORMATION SECURITY
xviii
Malcolm Harkins is a foremost expert at managing risk and information
security. In this latest book, he further expands his Protect to Enable
philosophy and does so in a way that offers practical and actionable
initiatives that any risk manager or CISO can implement to protect their
enterprise while enabling business growth. A must-read for CISOs and
their teams!
—Tim Rahschulte, Ph.D.
Chief Learning Officer & Content Officer, Evanta
Malcolm Harkins is a visionary thought leader on cyber security and risk
management. Managing Risk and Information Security is a must read.
Malcolm helps readers immediately take the information and apply it to
their own organizations. You will find that this book cuts through the fog
and provides a clear picture of where and what to focus on to effectively
manage cyber business risk.
—Phil Ferraro
Global CISO and Cyber Security Consultant
The CISO is more than just a technology expert; she must be savvy
about leadership, influence, and change across complex organizations;
someone who sees her mission not to just drive implementation of a
large system, but to foster sustainable culture change at every level. As
an organizational psychologist, I recognize Harkins’ keen eye for group
dynamics and leadership tactics that enable CISOs to enhance enterprise
security. He puts his finger on the habits, assumptions, and decision
processes typical of many employees and teams, as they unknowingly
increase security risk, and for that alone this book is a gem. It should be
required reading for aspiring CISOs and for anyone who has a role in the
recruitment and hiring of CISOs.
—Marc Sokol, PhD
Executive Editor, People + Strategy
Malcolm Harkins’ take on information security and risk is a refreshing
change from the increasingly frequent alarm bells raised in the press
with regard to the “brave new world” where technology is presented as
an ever-escalating conflict between our seemingly insatiable appetite for
connectivity, cool applications, and customized information, on the one
hand, and a desire to control who has our information and how they may
use it, on the other. Harkins instead offers a cool, clear-eyed perspective
where managing information and risk are placed in a wider context. His
prescriptions and frameworks are recipes for well-managed organizations
in the broadest sense. They allow us to embrace our new-found

xix
technological abilities without fear because we have defined their purpose
capaciously enough to be a positive good, to be of service to all a company’s
stakeholders. That is, once we set a truly human course, technology serves
rather than threatens us. Organization purpose, when defined in this way,
is an expression of our values and is empowered by that fuel. Harkins’ book
isapracticalaswellaspurposefulguidetoavalues-drivenimplementation
of information technology.
—Mary C. Gentile, PhD
Author of Giving Voice To Values: How To Speak Your Mind
When You Know What’s Right (Yale University Press)
In today’s rapidly evolving security landscape, security professionals are
navigating a complex set of dynamics across the enterprise. In Managing
Risk and Information Security, Malcolm Harkins draws on his rich
security experience to present a connected view of where companies
should be focused. He puts forth a valuable perspective, as organizations
around the world look to create a necessary balance of protection and
innovation, which ultimately enables business success.
—Bret Arsenault
Corporate Vice President and CISO, Microsoft Corporation
Malcolm generously shares through personal experiences and story
telling the formula for a successful 21st century CISO. It is one part
multi-disciplinary leader and one part trusted advisor to the business,
combined with behavioral models required for balanced risk decision
making. A must-read for all new CISOs. Malcolm lives his beliefs.
—Nasrin Rezai
GE Corporate Security & Compliance Officer
In the second edition of his book, Malcolm seamlessly articulates the
future horizon of cyber security and the critical role that the CISO and
security professionals will need to fulfill in order to defend both the
company and consumers they serve. The guidance he provides into the
skills, leadership, and approach required for successfully navigating
the emerging challenges of securing a digital economy is invaluable.
Regardless of your current role, this is a must-read for everyone who has
accepted this great responsibility and privilege.
—Steven Young
CISO, Kellogg Company

xx
While other security officers are looking to the traditional or the latest
“cool” product, Harkins goes against the tide and asks the questions that
need addressing. His forward-thinking mindset and Protect to Enable
approach inspire others to innovate and go beyond the mainstream.
If you cannot bring Harkins to your company for mentoring, this book
will at least spark thought and will change how your engineers view
security within the business.
—Charles Lebo
Vice President and CISO, Kindred Healthcare
Malcolm’s vast experience makes him one of the most credible security
leaders on the international stage and serves as the perfect platform for
this book. Rational, compelling, and authoritative writing is far too rare
in the world of risk and information security, but Malcolm completely
nails it in Managing Risk and Information Security with invaluable
advice and recommendations for anyone planning a future in the
security world. His extensive experience in business before becoming
a CISO is one of the missing ingredients in many security executives’
professional toolbox, which is which is why this is such an important
book. Make sure to keep a highlighter and notepad handy because there
are a lot of nuggets in here you’ll want to remember on your journey to
becoming a better security professional.
—Mark Weatherford
Chief Cybersecurity Strategist at vArmour and
former Deputy Under Secretary for Cybersecurity
at the US Department of Homeland Security
I’ve had the privilege of working with many talented CISOs over the
years and Malcolm is one of the best. His logical, methodical approach
to solving the most complex cybersecurity problems is reflected in his
lucid style. An enlightened approach to understanding risk that unites
all stakeholders and a systemic intelligence-based approach to security
infrastructure are the only ways to reduce the threat to manageable
levels. This is our best path forward if we are ever to realize the vast
potential of the innovative digital world we are creating. In Managing
Risk and Information Security, Malcolm shines a light on that path in a
comprehensive yet very readable way.
—Art Coviello
Former CEO and Executive Chairman, RSA

xxi
About the Author
Malcolm Harkins is the Chief Security and Trust Officer
(CSTO) at Cylance Inc. In this role, he reports to the CEO
and is responsible for enabling business growth through
trusted infrastructure, systems, and business processes.
He has direct organizational responsibility for information
technology, information risk, and security, as well as
security and privacy policy. Malcolm is also responsible
for peer outreach activities to drive improvement across
the world in the understanding of cyber risks and best
practices to manage and mitigate those risks.
Previously, Malcolm was Vice President and
Chief Security and Privacy Officer (CSPO) at Intel
Corporation. In that role, Malcolm was responsible
for managing the risk, controls, privacy, security, and
other related compliance activities for all of Intel’s
information assets, products, and services.
Before becoming Intel’s first CSPO, he was
the Chief Information Security Officer (CISO)
reporting into the Chief Information Officer. Malcolm also held roles in finance,
procurement, and various business operations. He has managed IT benchmarking and
Sarbanes-Oxley–compliance initiatives. Harkins acted as the profit and loss manager for
the Flash Product Group at Intel; was the general manager of Enterprise Capabilities,
responsible for the delivery and support of Intel’s Finance and HR systems; and worked in
an Intel business venture focusing on e-commerce hosting.
Malcolm previously taught at the CIO Institute at the UCLA Anderson School of
Management and was an adjunct faculty member at Susquehanna University in 2009. In
2010, he received the RSA Conference Excellence in the Field of Security Practices Award.
He was recognized by Computerworld as one of the Premier 100 Information Technology
Leaders for 2012. (ISC)2
recognized Malcolm in 2012 with the Information Security
Leadership Award. In September 2013, Malcolm was recognized as one of the Top 10
Breakaway Leaders at the Global CISO Executive Summit. In November 2015, he received
the Security Advisor Alliance Excellence in Innovation Award. He is a Fellow with the
Institute for Critical Infrastructure Technology, a non-partisan think-tank that provides
cybersecurity briefings and expert testimony to the U.S. Congress and federal agencies.
Malcolm is a sought-after speaker for industry events. He has authored many white

■ ABOUT THE AUTHOR
xxii
papers and in December 2012 published his first book, Managing Risk and Information
Security. He also was a contributing author to Introduction to IT Privacy, published in
2014 by the International Association of Privacy Professionals.
Malcolm received his bachelor’s degree in economics from the University of California
at Irvine and an MBA in finance and accounting from the University of California at Davis.

xxiii
Acknowledgments
I received valuable feedback from many readers of the first edition of this book. That
feedback helped me to expand the book with additional insights, clarifications, and
updated examples. It also encouraged me to add two more chapters to the second
edition: one on corporate social responsibility, and the other on performance coaching.
Special thanks to Mike Faden: without his help this book would not have happened.
As I noted in the first edition, many people during my journey at Intel helped me
learn and grow. A number of them published material that is still referenced in this
second edition.
Other experts who have helped me come from a variety of different peer groups.
They include members of the Bay Area CSO Council, the Executive Security Action
Forum, the members and staff of CEB and its Information Risk Leadership Council,
participants in the Evanta CISO Executive Summits and the CISO coalition, as well as the
Security Advisor Alliance.
Finally, I wish to thank Stuart McClure for giving me the opportunity to join Cylance.

xxv
Preface
If you don’t believe in the messenger, you won’t believe the message.
You can’t believe in the messenger if you don’t know what the messenger
believes.
You can’t be the messenger until you’re clear about what you believe.
—James Kouzes and Barry Posner,
in The Leadership Challenge
A great deal has transpired since the first edition of this book was published in January
2013, both in the world of information risk and in my personal life and career. To briefly
cover the latter, in January 2013, I was named Intel’s Chief Security and Privacy Officer.
My broad role was one of the first of its kind in corporate America: I was charged with
managing and mitigating risk for Intel’s products and services worldwide, in addition to
Intel’s internal IT environment. In June 2015, I left Intel to become CISO at Cylance Inc.,
and in May 2016, I was named Cylance’s Chief Security and Trust Officer.
These career changes occurred during an extraordinary period of escalating
information risk, as evidenced by an almost continuous stream of major hacks and
breaches, and a corresponding rise in society’s awareness of risk. Some key examples:
• May 2013: Edward Snowden flies to Hong Kong after leaving
his job at an NSA facility in Hawaii. The following month, he
reveals thousands of classified NSA documents. The disclosures,
including previously unknown government surveillance
programs, continue to cause worldwide repercussions today.
• December 2013: The blog Krebs On Security reports a massive
data breach at Target. The company confirms the breach the next
day. Within months, Target’s CIO and CEO both resign amid the
fallout.
• May 2014: A U.S. grand jury indicts five Chinese military officers
on charges of hacking American companies and stealing trade
secrets.
• November 2014: Employees at Sony Pictures arrive at work to
discover their network has been hacked. Attackers steal and then
erase data on thousands of systems, forcing studio employees to
revert to using fax machines and pen and paper. The attackers
then dump huge batches of confidential business and personal
information online.

■ PREFACE
xxvi
• March 2015: Google’s Project Zero hacking team demonstrates
the ability to exploit a fundamental flaw in DDR3 SDRAM to
perform privilege escalation attacks on systems containing the
chips. Some mitigation approaches are available, other than
replacing the DDR3 memory in millions of systems worldwide.
• June 2015: The US Office of Personnel Management announces
a data breach targeting the personal data of up to 4 million
people. The attack, which includes security clearance-related
information, is one of the largest-ever breaches of government
data. By July, the estimated number of stolen records increases to
21.5 million.
• February 2016: The Hollywood Presbyterian Medical Center in
Los Angeles says it has paid a bitcoin ransom to attackers who
held its systems hostage, encrypting data and blocking access by
hospital staff. Some believe the healthcare industry is the next
major target for cyber criminals.
Given this escalating cycle of risk, and the potential catastrophic societal
implications of today’s attacks, we must all be ready to be held accountable. This may
require a large mental shift for those used to simply assigning responsibility and blame
for a breach to the people who traditionally perform post-attack cleanup: corporate IT
departments, internal information security teams, and investigations and computer
forensics groups. Everyone, from corporate executives to security practitioners, shares
responsibility for security and privacy. We must all step back and contemplate our own
personal responsibilities, not only to the organizations we work for and the customers we
serve, but also to society as a whole.
The challenge we sometimes face is how to characterize that responsibility. Is our
responsibility to limit liability for our organizations? Or is it a duty of care to the people
whose information we store? What values are we using when we make decisions about
cyber risk, and what bias do those values create in our decisions? Are we forward-
looking enough, or will the decisions we make to fix our problems today create other
problems in the future? As Benjamin Franklin once said, “All human situations have their
inconveniences. We feel those of the present but neither see nor feel those of the future;
and hence we often make troublesome changes without amendment, and frequently for
the worse.”
As security and privacy professionals, a key part of our role is to ensure the right
dialogue and debate occurs. We need to ask “high-contrast” questions that sharply
define the implications of the choices our organizations make. We need to make sure
that the opportunities are as clearly defined as the obligations to mitigate risk, so that
our organizations make the right decisions. And we need to take equal responsibility for
the outcomes of those choices, as opposed to abdicating that responsibility solely to the
business. Once the choice is made, we must transition out of the debate about what is
right and focus on taking the right actions—on making tomorrow better than today.
We can think of this as doing what’s right. We can think of it as protecting our
customers and partners and keeping our markets healthy for everyone. No matter what
motivates us, thoughtfully building systems to support a culture of genuine responsibility
for privacy and security is not only good corporate responsibility; it is also good for

■ PREFACE
xxvii
business. For computing to continue to improve the world we live in rather than endanger
it, it needs to be trustworthy. And for that trust to be deliverable, we need to ensure the
data we enter into our computers is both secure and private. As an organization, we
demonstrate and build trust through our approach to solving these cyber-risk challenges.
In the preface of the first edition, I said “Managing Risk and Information Security is
a journey, but there is no finish line. Our approach to managing information risk must
continue to evolve as rapidly as the pace of business and technology change. My hope is
that people will read this book and begin their own journey.”
I still firmly believe what I said then. But I also believe that, as General George
Marshall once said, “The only way human beings can win a war is to prevent it.” We
are at war against adversaries who wish to harm the users of technology. But there is
also a battle among those responsible for protecting security and privacy. On one side
are organizations that would like to continue on the current path because they profit
from the insecurity of computing, or that approach the duty of care with a bias towards
limiting liability rather than protecting their customers. On the other side are those who
believe that our role is to generate trust. We do that by protecting to enable people and
businesses. It’s a hard road; I know, because I experience it every day. But we shouldn’t
back away from something just because it is hard. We need to plant our feet and stand
firm. The only question is where we plant our feet.

1© Malcolm W. Harkins 2016
M.W. Harkins, Managing Risk and Information Security,
DOI 10.1007/978-1-4842-1455-8_1
CHAPTER 1
Introduction
There are two primary choices in life: to accept conditions as they exist,
or accept the responsibility for changing them.
—Denis Waitley
In January 2002, I was hired to run a new Intel internal program called Security and
Business Continuity. The program had been created following the major security events
of the previous year (9/11 and the Code Red/Nimda viruses) and it focused primarily
on the availability risks at that time. I had no background in technical security, but I
had been at Intel for nearly 10 years in a variety of business-related positions, mostly
in finance. As I learned about information risk during the first few months, it became
apparent to me that the world was starting to change rapidly and that a “perfect storm”
of risk was beginning to brew. In June 2002, I put together a diagram (Figure 1-1) to
explain the risks to my manager, Intel’s CIO, and anyone who would listen to me.
The diagram has been updated slightly since then to more explicitly highlight the
geo-political forces that are a key part of the threat, vulnerability, and regulatory
risk landscape.

CHAPTER 1 ■ INTRODUCTION
2
Today, it is clear that my view of the world was essentially accurate. Security breaches
and intrusions are reported almost daily at organizations of all sizes, legal and regulatory
issues related to technology use continue to grow, and geo-politics have surged to the
forefront of some of these discussions in a post-Snowden era. Cyber attacks and data
breaches are now considered the biggest threats to business continuity, according to a
recent survey (Business Continuity Institute 2016).
But the key question that I asked in the first edition of this book is still valid. Is
information security really effective? Given the rapid evolution of new technologies and
uses, does the information security group even need to exist?
Obviously, this is a somewhat rhetorical question. I cannot imagine that any sizeable
organization would operate well without an information security function. But the real
issue is whether the information security group should continue to exist as it does today,
with its traditional mission and vision. It is clear from the prevalence of breaches and
compromises that we have not kept up with the threats, and we appear to be slipping
farther behind as the world grows more volatile, uncertain, and ambiguous. It is no
wonder that we have fallen behind: as the world of technology expands exponentially,
so do the technology-related threats and vulnerabilities, yet our ability to manage
those security and privacy risks has progressed only at a linear rate. As a result, there
is a widening gap between the risks and the controls. In fact, many organizations have
essentially given up actively trying to prevent compromises and have defaulted to
reliance on after-the-fact detection and response tools.
Figure 1-1. The perfect storm of information risk

3
As information risk and security professionals, we should be asking ourselves
pointed questions if we wish to remain valuable and relevant to our organizations. Why
do we exist? What should our role be? How are new consumer and Internet of Things
(IoT) technologies shaping what we do, and can we shape the world of these new
technologies and usage models? How is the evolving threat landscape shaping us, and
can we shape the threat landscape? Given the bewildering pace at which technology
changes and new threats appear, how do we focus and prioritize our workload? What
skills do we need?
Traditionally, information security groups in businesses and other organizations
have taken a relatively narrow view of security risks, which resulted in a correspondingly
narrow charter. We focused on specific types of threats, such as malware. To combat
these threats, we applied technical security controls. In an attempt to protect against
attacks and stop them reaching business applications and employees’ PCs, we fortified
the network perimeter using firewalls and intrusion detection software. To prevent
unauthorized entry to data centers, we installed physical access control systems. Overall,
our thinking revolved around how to lock down information assets to minimize security
risks, and how to reactively detect and respond to risks as they presented themselves.
Today, however, I believe that this narrow scope not only fails to reflect the full
range of technology-related risk to the business; it is detrimental to the business overall.
Because this limited view misses many of the risks that affect the organization, it leaves
areas of risk unmitigated and therefore leaves the organization vulnerable in those
areas. It also makes us vulnerable to missing the interplay between risks and controls: by
implementing controls to mitigate one risk, we may actually create a different risk. And
by focusing primarily on detection and response, we are not preventing harm; we are just
trying to limit the damage.
As I’ll explain in this book, we need to shift our primary focus to adopt a broader
view of risk that reflects the pervasiveness of technology today. Organizations still need
traditional security controls, but they are only part of the picture.
There are several reasons for this. All stem from the reality that technology plays an
essential role in most business activities and in people’s daily lives.
Technology has become the central nervous system of a business, supporting the flow
of information that drives each business process from product development to sales. In
addition, as I’ll discuss throughout this book, almost every company is becoming a supplier
of technology in some form, as technology becomes a vital element of most products,
services, and infrastructure from cars and household appliances to the power grid.
The role of technology in peoples’ personal lives has expanded dramatically, too, and
the boundaries between business and personal use of technology are blurring. Marketers
want to use social media to reach more consumers. Employees want to use their personal
smartphones to access corporate e-mail.
Meanwhile, the regulatory environment is expanding rapidly, affecting the way that
information systems must manage personal, financial, and other information in order to
comply—and introducing a whole new area of IT-related business risks.
Threats are also evolving quickly, as attackers develop more sophisticated
techniques, often targeted at individuals, which can penetrate or bypass controls
such as network firewalls, traditional antivirus solutions, and outdated access control
mechanisms such as passwords.

4
In combination, these factors create a set of interdependent risks to a business’s
information and technology, from its internal information systems to the products and
services provided to its customers, as shown in Figure 1-2.
Figure 1-2. Managing the interdependent set of technology-related risks
Traditional security or other control type thinkers would respond to this situation
by saying “no” to any technology that introduces new risks. Or perhaps they would
allow a new technology but try to heavily restrict it to a narrow segment of the employee
population. An example of this over the past few years was the view at some companies
that marketers should not engage consumers with social media on the company’s web
site because this meant accumulating personal information that increased the risk of
noncompliance with privacy regulations. Another example was that some companies
didn’t allow employees to use personal devices because they were less secure than
managed business PCs.
The reality is that because IT is now integrated into everything that an organization
does, security groups cannot simply focus on locking down information assets to
minimize risk. Restricting the use of information can constrain or even disable
the organization, hindering its ability to act and slowing its response to changing
market conditions. A narrow focus on minimizing risk therefore introduces a larger
danger: it can threaten a business’s ability to compete in an increasingly fast-moving
environment.

5
THE CHALLENGES OF RISING SECURITY COSTS AND
SKILLS SHORTAGES
Growing recognition of the importance of security and privacy, triggered largely by
highly publicized breaches, has led to sharply increasing security spending and
an accompanying skills shortage. If the current trajectory continues, Gartner Inc.
predicts that by 2017 the typical IT organization will spend up to 30 percent of its
budget on risk, security, and compliance, and will allocate 10 percent of its people
to these security functions. That is triple the levels of 2011 (Gartner 2015b). At the
same time, skill shortages may worsen; more than a third of security managers
surveyed in 2015 reported significant obstacles in implementing security projects
due to inadequate staffing (Morgan 2015). One question is how much of the
projected cost increase is due to under-investment in the past, and how much is due
to the fact that organizations have invested in technologies that do not adequately
reduce risk. To break the cycle, as I’ll explain in Chapter 7, we need a new security
model and tools that create a demonstrable decrease in the risk curve, with a
greater focus on effective prevention and machine learning to reduce cost and
manual effort.
Protect to Enable®
To understand how the role of information security needs to change, we need to
re-examine our purpose. We need to Start with Why, as author Simon Sinek argues
convincingly in his book of the same name (Portfolio, 2009). Why does the information
security group exist?
As I considered this question back in 2010, and discussed it with other members
of the risk and security team that I led at Intel, I realized that we needed to redefine our
mission. Like the IT organization as a whole, we exist to enable the business, to help
deliver IT capabilities that provide competitive differentiation. Rather than focusing
primarily on locking down assets, the mission of the information risk and security group
must shift to enabling the business while applying a reasonable level of protection. To
put it another way, we provide the protection that enables information to flow through
the organization, our partners, and our customers. We also provide the protection for the
technology that our organizations create to provide new experiences and opportunities
for our customers.
The core competencies of information security groups—such as risk analysis,
business continuity, incident response, and security controls—remain equally relevant as
the scope of information-related risk expands to new areas, such as technology-enabled
products and services, as well as privacy and financial regulations. But rather than saying
“no” to new initiatives, we need to figure out how to say “yes” and think creatively about
how to manage the risk.

6
During my time at Intel, the security group’s mission evolved toward this goal as
we helped define solutions to a variety of technology challenges. For example, my team
recognized as early as 2002 that implementing wireless networks within Intel’s offices
could help make the workforce more productive and increase their job satisfaction by
letting them more easily connect using their laptops from meeting rooms, cafeterias, and
other locations. At the time, many businesses avoided installing wireless networks within
their facilities because of the risk of eavesdropping or because of the cost. We learned
pretty quickly that when we restricted wireless LAN deployments or charged departments
additional fees to connect, we actually generated more risks. This was because the
departments would buy their own access points and operate them in an insecure
fashion. We recognized that the benefits of installing wireless LANs across the company
outweighed the risks, and we mitigated those risks using security controls such as device
authentication and transport encryption. By 2004, that approach had enabled ubiquitous
wireless and mobile computing that propelled productivity and actually reduced risks.
A more recent example that many organizations have experienced: for years, Intel
didn’t allow employees to use personal smartphones for business, due to concerns about
privacy and other risks such data theft. However, we experienced growing demand from
employees soon after the launch of the iPhone 3 in 2009. We realized that letting them use
these consumer devices to access e-mail and other corporate systems would help boost
employee satisfaction and productivity.
By working closely with legal and human resources (HR) groups, we defined security
controls and usage policies that enabled us to begin allowing access to corporate e-mail
and calendars from employee-owned smartphones in early 2010. The initiative was highly
successful,withamassiveuptakebyemployees,overwhelminglypositivefeedback,andproven
productivitybenefits(EveredandRub2010,MillerandVarga2011).Thesuccessoftheinitiative
led to its selection for an in-depth Ivey Business School case study (Compeau et al. 2013).
The transformation within the information security group was reflected in changes
to our mission statement and top priorities over the years. In 2003, the internal mission
statement reflected the traditional focus and scope of information security organizations:
the overarching goal was to protect information assets and minimize business disruption.
By 2010 it was clear to me that we needed to simplify our purpose and also broaden
the scope. So in 2011, I changed our mission to Protect to Enable to express the idea that
our primary goal was to find ways to enable the business while providing the protection
necessary to reduce the risk to an acceptable level.
For a few years after this, I thought of information risk and security as a balancing
act. I felt that we needed to try to find the right balance between providing open access to
technology and information to enable the business and locking down assets. Providing
open access allows greater business agility. The business can move more quickly with
fewer restrictions. Employees can work more freely, and the faster flow of information
allows the company to grow and transform.
But as my responsibilities grew to encompass security and privacy not only for
internal systems but also for all aspects of products and services, I realized that a
balancing act was the wrong analogy. We should not start from a position of making
trade-offs between risks and enablement, or between security and privacy. So I began
using a different model that I now feel more accurately represents the challenges of
managing information risk: we should take on the harder task of optimizing what is
really a multivariate equation of risk dynamics and business objectives in order to create
solutions that are “tuned to target,” as shown in Figure 1-3.

7
For each problem and solution, we try to optimize or “tune” five primary variables:
• Risk and Compliance: Meeting security, privacy and compliance
requirements, based on the organization’s risk tolerance and
security and privacy principles.
• Cost and Maintenance: The total cost of controls, factoring in
deployment and maintenance costs.
• Productivity and User Experience: The extent to which controls
hinder business velocity by making it harder for users to do their
jobs. I call this control friction. In addition, if we make it difficult
or time-consuming for users to follow security policies or use
security tools, they’ll ignore them, thus creating more risks. (See
the discussion of the 9 Box of Controls in Chapter 7).
• Market Objectives: The company’s goals, such as increased
market share.
• Customer Needs: Our customer’s privacy and security needs, as
well as their overall experience.
Ultimately there may be cases where we cannot fully optimize each item and we
need to make trade-offs, but that doesn’t mean we shouldn’t try.
Figure 1-3. Tuned to target: optimizing the equation to meet business objectives and
customer needs

8
I hope that this model may help information security groups at other organizations
think about how these priorities relate to their own businesses. The optimization points
for each variable and objective will depend on factors such as the organization’s overall
culture, technical acumen, and appetite for risk.
Building Trust
I believe that if computing is to continue to improve the world we live in, rather than
endanger it, it must be trustworthy. Unfortunately, as I describe in Chapter 9, the privacy
and security breaches that have hit the headlines in recent years have weakened the
public’s trust in technology, according to the Edelman Trust Barometer, a widely used
indicator. The rapid implementation of new technologies emerged as a new factor in
depressing trust overall. “By a two-to-one margin, respondents in all nations feel the new
developments in business are going too fast and there is not adequate testing,” the study
concluded (Edelman 2015).
To rebuild trust in technology, we need to ensure the data we enter into our systems
is both secure and private. At Cylance, we strive to cultivate a work environment where
security, privacy, and trust are an integral part of the evolving culture of the company and
foundational to the design, development, and delivery of our products and services.
To analyze the context that led to my approach to the risk and security mission, and
helped to shape top priorities, I’ll explore some of the key changes in the landscape:
the rapidly expanding regulatory environment, the emergence of new devices and
technologies, and the changing threat landscape.
Keeping the Company Legal: The Regulatory Flood
Until the early 2000s, I didn’t see regulatory compliance as a top priority for information
security. That’s simply because there weren’t many regulations that impacted IT, at least
in the United States. There were a few exceptions that affected a subset of companies,
including Intel, such as controls on certain high-tech exports. And in European
countries, there were already regulations that sought to protect personal information.
But in general, IT groups didn’t have to dedicate much of their time, or budget, to
regulatory compliance.
The change in the last decade has been extraordinary. We have seen a flood of new
regulations implemented at local, national, and international levels. They affect the
storage and protection of information across the entire business, from the use of personal
information for HR and marketing purposes, to financial data, to the discovery of almost
any type of document or electronic communication in response to lawsuits. And with
growing concerns about cyberwarfare, cyberterrorism, and hacktivism, several countries
are evaluating additional cybersecurity legislation in an attempt to protect critical
infrastructure and make industries more accountable for strengthening security controls.
In most cases, these regulations do not aim to specifically define IT capabilities;
however, because information is stored electronically, there are huge implications
for IT. The controls defined in the regulations ultimately must be implemented in the
organization’s systems. These systems include more than just technology: they consist of

9
people, procedures, devices, and applications. The business risk includes a significant
IT-related component, but we must take a holistic view of risk management. Noncompliance
can damage a company’s brand image, profitability, and stock price—not just through
resulting legal problems, but through bad publicity.
Let’s take a brief look at some of the key areas and regulations that are having the
biggest impact.
Privacy: Protecting Personal Information
For many US companies, the wake-up call was the California data security breach
notification law (State Bill 1386), which became effective in 2003. A key aspect of this
law requires companies that store personal information to notify the owner of the
information in the event of a known or suspected security breach. Businesses could
reduce their exposure, as well as the risk to individuals, by encrypting personal data.
After this, other states quickly followed suit, implementing regulations that generally
follow the basic tenets of California’s original law: companies must promptly disclose a
data breach to customers, usually in writing.
In addition, federal laws, such as the Health Insurance Portability and Accountability
Act (HIPAA), have addressed specific categories of personal information. Further
regulations have been added in other countries, too, such as the updated data-protection
privacy laws implemented in Europe (European Commission 2011, 2012).
The implications of these local and national regulations extend beyond geographical
boundaries. As companies do more business online, they’re increasingly likely to acquire
and store information about customers from other countries, and find that they also
need to comply with regulations around the world. Those regulations may change, with
implications for businesses in multiple countries. In late 2015, for example, Europe’s
highest court struck down the so-called “safe harbor” agreement that had allowed
companies to move information about consumers between the European Union and
the United States. The replacement EU-US Privacy Shield, agreed after three months of
negotiations, aimed to address European privacy concerns with written guarantees that
US intelligence agencies would not have indiscriminate access to Europeans’ personal
data stored in the US (Scott 2016).
The issue can become even more complex when businesses outsource application
development or HR functions to providers located in yet another country. Now, software
developers in India may be building and operating the systems that collect information
about Europeans for US companies, making it even more difficult for businesses to
navigate compliance with all relevant privacy regulations.
Personalization vs. Privacy
Privacy concerns are set to become even more important over time, as businesses
increasingly seek to create online experiences tailored to the needs of individual users.
The more a business knows about each individual, the more it can personalize services
and offer targeted advertising based on income and preferences.

10
Many users also like personalized services. If a web site “remembers” them, they
don’t need to enter the same information each time they visit the site, and they’re more
likely to see content and offers relevant to their needs. In fact, companies may be at a
disadvantage if they don’t personalize services because users may prefer a web site from a
competitor that offers a more streamlined experience.
However, there’s an inevitable conflict between personalization and privacy.
The personalization trend is fueling the growth of an industry focused on collecting,
analyzing, and reselling information about individuals. This industry existed long before
the Web; personal information has been used in mass-mailing campaigns for decades.
However, the Web is both increasing demand for this information while providing
new ways to collect it. Companies now have opportunities to collect information from
multiple online sources, correlate and analyze this information, and then sell it to others.
And of course, consumers’ fears that information will be lost or misused have increased
accordingly.
For businesses, however, offering personalized services also can increase
compliance concerns. As companies store more personal information, they are
responsible for safeguarding that information and are liable for any loss or compromise.
In many parts of the world, companies are also required to explain why they are collecting
personal data, how they are protecting it, and how long they will keep it.
We can expect continuing tension due to conflicting desires for personalization and
privacy—and more regulation as a result. Governments clearly believe that businesses
cannot be relied upon to regulate themselves, so they will continue to add regulations
designed to protect the privacy of individuals. Meanwhile, businesses will seek new ways
to collect more information so that they can further personalize services. Developing
compliance strategies and guidelines becomes even more pressing.
Financial Regulations
Financial regulation surfaced as a top priority in the United States with the Sarbanes-
Oxley Act (SOX), which emerged from the public outrage over corporate and financial
accounting scandals at companies such as Enron and WorldCom. These scandals cost
investors billions of dollars and damaged public confidence. To help avoid similar
catastrophes in the future, SOX imposed financial tracking requirements designed to
ensure that a company’s financial reporting is accurate and that there hasn’t been fraud
or manipulation. Once enacted, SOX required publicly held companies to meet specific
financial reporting requirements by the end of 2004.
Although the Sarbanes-Oxley Act doesn’t mandate specific technology controls,
it has major implications for IT. Ensuring financial integrity requires controls to be
implemented within everyday financial processes. In practice, this means they must
be enforced within the IT applications and infrastructure that support those processes.
Purchases above specific thresholds may require approval from the finance group; the
underlying applications have to support this workflow, and to be sure the applications
function correctly, businesses need to establish the integrity of the underlying computer
infrastructure. Compliance with financial regulations therefore creates a series of IT
requirements, from making sure that applications provide the right functionality to
implementing access controls and updating software.

11
E-Discovery
Regulations governing the discovery of information for litigation purposes officially
extended their reach into the electronic realm in 2006. That’s when the US Supreme
Court’s amendments to the Federal Rules of Civil Procedure explicitly created the
requirement for e-discovery—the requirement to archive and retrieve electronic records
such as e-mail and instant messages.
This created an immediate need not just to archive information, but to automate its
retrieval. This is because records must be produced in a timely way, and manual retrieval
would take too long and be prohibitively expensive. The business risks of noncompliance
are considerable: unlike many countries, US practice allows for potentially massive
information disclosure obligations in litigation. Companies that fail to meet e-discovery
requirements may experience repercussions that include legal sanctions. The
implications are correspondingly onerous. Lawsuits may draw on information that is
several years old, so businesses must have the capability to quickly search and access
archived information as well as current data. E-discovery is further complicated by the
growth of cloud computing models such as software as a service (SaaS). As organizations
outsource more business processes and data to cloud service suppliers, they need to
ensure that their suppliers comply with their e-discovery needs.
Expanding Scope of Regulation
The regulatory universe continues to expand, with the likelihood of more regulations
that explicitly address IT, as new technologies emerge and governments try to control its
use and inevitable misuse. In the US, lawmakers have proposed legislation to increase
the security and privacy of connected cars, following a widely publicized demonstration
in which researchers hacked into a Jeep and took over its controls. The Food and Drug
Administration (FDA) has published cybersecurity guidelines describing requirements
for manufacturers of Internet-connected medical devices (FDA 2016).
The attempts by various governments to gain access to technology for the purposes
of combating terrorism have generated considerable impact and controversy. In China,
a new anti-terrorism law requires that technology companies hand over technical
information and help with decryption when the police or state security agents demand
it for investigating or preventing terrorist cases (Buckley 2015). In the US, even greater
controversy was generated by the US Government’s attempts to force Apple Computer
to create “back doors” that make it easier to access information on iPhones used by
terrorists or criminals. In India, after terrorists used unsecured Wi-Fi access points
to communicate information about their attacks, the government created a legal
requirement that any access point must be secured (Government of India Department of
Telecommunications 2009).
In other countries, businesses that operate unsecured Wi-Fi access points (a
common way to provide Internet access for visitors) may find themselves facing other
legal problems. For example, unscrupulous individuals may tap into the network to
access web sites for purposes such as illegally downloading music or pornography.
Access appears to originate from the company hosting the access point, which may then
find itself on the receiving end of correspondence or raids from the music industry or
government agencies.

12
The Rapid Proliferation of Information, Devices,
and Things
The computing environment is growing as rapidly as the regulatory environment. The
sheer volume of information is exploding, and it is being stored across a rapidly growing
array of devices. The Internet of Things will drive yet another exponential increase:
Gartner, Inc. estimates that during 2016, 5.5 million new “things” will be connected every
day, and Cisco expects 50 billion connected devices by 2020. In the not too distant future,
almost any device with a power supply may have an IP address and will be capable of
communicating—and being attacked—over the Internet.
Recent headlines have highlighted the growing threat activity focused on IoT, as I’ll
discuss further in Chapter 7. Researchers hacked into a Jeep via its Internet-connected
entertainment system and remotely controlled the vehicle’s functions (Greenberg 2015);
other researchers showed that thousands of medical devices in hospitals are vulnerable
to attack.
At the same time, the boundaries between work and personal technology have in
some cases completely dissolved. Whether businesses officially allow it or not, employees
are increasingly using their personal devices for work by sending e-mails from and storing
information on their personal smartphones and computers. Furthermore, people may
forward e-mail from business accounts to personal accounts created on external systems,
without considering that when they signed up for the personal account, they agreed to a
license that allows the external provider to scrutinize their e-mails.
The use of personal technology such as smartphones can considerably enhance
business productivity because employees can now communicate from anywhere at
any time. However, this also creates a more complex, fragmented environment with
more potential points of attack. Information is now exposed on millions of new devices
and disparate external networks, many of which do not have the same type of security
controls as corporate PCs, and all of which are outside corporate network firewalls. Not
surprisingly, mobile malware has become a major industry, and is still growing: one
survey found more than 1,200 known families of Android malware in 2014, more than
double the number found the previous year (Millman 2015).
The boundaries between work and personal lives are dissolving in other ways,
too. Employees store more information on the Internet—on business and consumer
social media sites, for example—than ever before. These sites are powerful tools for
communicating with audiences outside the corporate firewall.
However, just as there’s an industry gathering and analyzing personal information
for marketing purposes, information on the Web can be used for competitive intelligence
or for less legitimate purposes. Users store snippets of information in multiple places
on the Web. Although each of these snippets may not provide much information, when
pieced together they can provide new intelligence not just about the individual, but also
about the organizations to which the person belongs. Each item is like a single pixel in
a digital picture. Alone, it doesn’t convey much information; but step back, aggregating
information from a wider range of sources, and those pixels combine to form a portrait.
In the same way, pieces of information strewn across a variety of unrelated web sites—the
name of a department, workmates, pet names that might be used as passwords—can be
linked together to create a picture of an individual and used for malicious purposes.

13
The Changing Threat Landscape
The threat landscape is evolving rapidly, with an increase in highly organized and well-
funded groups capable of executing sustained attacks to achieve long-term goals, including
cyberespionage, cyberterrorism, and cyberwarfare. These attackers, generally known as
advanced persistent threats (APTs), were originally thought to focus mainly on governments
but more recently have also been shown to target private-sector organizations, with the
goal of stealing intellectual property or simply causing damage. APTs include nation-state
organizations, “hacktivist” groups attempting to publicize or further their cause, and
organized crime. Hacktivists who said they were targeting oppressive regimes claimed
responsibility for an attack that disabled more than 30,000 computers at the world’s biggest
oil producer, Saudi Aramco. The FBI blamed North Korea for a crippling attack on Sony
Pictures (Schmidt et al. 2015). In 2014, the US Justice Department indicted five Chinese
military hackers for stealing trade secrets and other information from US companies in the
nuclear power, metals, and solar industries (Department of Justice 2014); in 2016, the US
charged seven hackers linked to the Iranian government with hacking US banks and dam
operations (Nakashima and Zapotosky 2016).
The steady rise of organized cybercrime online is entirely logical. As the exchange
of money and information has moved online, organized crime has followed, focusing on
theft of valuable assets such as intellectual property. This has spawned a mature malware
industry that increasingly resembles the legitimate software industry, complete with a
broad set of services, guarantees, and price competition among suppliers. Ransomware,
which encrypts a victim’s data until a ransom is paid, is a recent trend.
Stealthy Malware
This evolving set of threat agents is using new, more sophisticated tools and methods
to mount attacks. Once upon a time, attackers were amateurish and often driven by
personal motives such as the prestige of bringing down a big company’s network.
Accordingly, the arrival of malware on a user’s machine was easy to detect: the malware
announced itself with icons or messages, and the system often became unusable.
Now the trend is toward malware that is stealthy and uses sophisticated techniques
to avoid detection. Attackers plant malware that lies undetected over a long period while
it captures information. Another common technique is to quietly spread malware by
injecting malicious code into an unsuspecting company’s web site; users who visit the site
then unknowingly download the code onto their systems.
Accompanying this is a shift from spam mass e-mails to carefully crafted
spearphishing attacks aimed at individuals or specific groups. These typically use social
engineering techniques, such as providing enough contextual or personal information in
an e-mail to tempt people to download malware or click on a link to an infected web site
created specifically for that purpose. Though more expensive to mount, spearphishing
attacks can be enormously profitable to cybercriminals; an analysis by a supplier of anti-
phishing solutions found that they were the primary initial attack method used by APTs
in 2015; 22% of attacks were motivated by financial fraud or other crimes (PhishLabs
2016). We can expect these stealthy and targeted attacks to continue, with new methods
emerging as necessary to circumvent defenses.

14
Nine Irrefutable Laws of Information Risk
Over the years, I’ve identified a number of “laws” that encapsulate some of the lessons
I’ve learned, and that seem to remain true despite the continually changing environment.
I call these the Nine Irrefutable Laws of Information Risk (with acknowledgements to
Culp (2000), Venables (2008), Lindstrom (2008), and other sources):
• Law #1: Information wants to be free. People want to talk, post,
and share information—and they increase risk by doing so. Some
examples:
A senior executive at a major technology company updated
his profile on a business social networking site. In doing so, he
inadvertently pre-announced a shift in his employer’s strategy—a
mistake that was promptly and gleefully picked up by the press.
An employee found a novel way to fix a piece of equipment
more quickly and, to help others across the company, decided to
videotape the procedure. Because video files are so large, it didn’t
make sense to e-mail the video, so the employee posted it online.
Unfortunately, by doing so, he exposed confidential information.
At one time or another, many people have experienced this
disconcerting event: when composing a message, the e-mail
software helpfully autofills the address field, but it selects the
wrong name from the address book. You hit Send without
realizing the error, thus dispatching a company-confidential
message to someone outside the organization.
It’s worth noting that that this rule is not new. Information has
always wanted to be free: think of the World War II slogan “loose
lips sink ships.” People communicate, and sometimes they share
more information than they should. It’s just the methods that
have changed, and the fact that, with the Internet, a carelessly
mentioned detail is instantly available to anyone across the globe.
• Law #2: Code wants to be wrong. We will never have 100 percent
error-free software. In fact, the more widely used the software,
the more malicious individuals will hunt for vulnerabilities in the
code. They have found and exploited errors in the world’s most
widely used web sites, productivity applications, and enterprise
business software.
• Law #3: Services want to be on. On any computer, some
background processes always need to be running, and these can
be exploited by attackers. These could even be security software
processes used for everyday activities like keeping systems up-to-
date with software patches or monitoring for malware.

15
• Law #4: Users want to click. People naturally tend to click when
they see links, buttons, or prompts. Malware creators know this,
and they take advantage of it. In fact, the entire phishing industry is
based on the assumption that users will click on enticing e-mails,
web sites, or pop-up ads, triggering the download of malicious
code to their systems. The evolution of highly targeted attacks such
as spearphishing has taken this to a new level, as when e-mails
purporting to be letters discussing legal action from a circuit court
were sent to senior executives at a number of companies.
• Law #5: Even a security feature can be used for harm. Security
tools can be exploited by attackers, just like other software. This
means that laws 2, 3, and 4 are true for security capabilities, too.
Networking equipment supplier Juniper Networks discovered
that its firewall software contained “unauthorized code” that
surreptitiously decrypted virtual private network traffic (Goodin
2015). Security researchers have uncovered vulnerabilities that can
be exploited by attackers in products from well—known security
suppliers, including Kaspersky Labs and FireEye (Ashford 2015).
• Law #6: The efficacy of a control deteriorates with time. Once
put in place, security controls tend to remain static, but the
environment in which they operate is dynamic. Organizations
tend to “set and forget”: to install security controls and then fail to
update them with security patches or to properly maintain access
lists. As attackers find new ways to circumvent or compromise the
controls, their effectiveness progressively degrades. As Rob Joyce,
who heads the National Security Agency’s elite hacking unit, put
it, an organization with static defenses will drift to the back of the
herd, where it is easily picked off by a predator (see Chapter 6).
• Law#7: Code needs to execute. All software, good or bad, needs
to execute in order to perform its intended function. Malware is
created with malicious intent, but until it executes, it is dormant
and can do no harm. Exploits can therefore be intercepted and
stopped by security tools that inspect code before execution,
identify good from bad, and prevent bad code from executing.
• Law #8: Controls create friction. Security controls can slow users
and business processes by impacting system performance
or forcing them to use cumbersome processes. High-friction
controls therefore impose a “drag coefficient” on business
velocity. Users react to a high degree of control friction by
circumventing the controls whenever possible; as a result, the
controls can actually introduce new risks as business users go
around IT to get their jobs done. Control friction is an important
consideration when designing security architectures (see the
discussion on the 9 Box of Controls in Chapter 7)

16
• Law #9: As our digital opportunities grow, so does our obligation
to do the right thing. As technology becomes embedded into the
fabric of our lives, exploits that take advantage of technology
vulnerabilities may increasingly impact the well-being of almost
everyone in society. So it is particularly important that we apply
the right ethical values to shape the way we design, develop,
and implement these technologies. As I explain in Chapter 9,
security and privacy should now be considered a corporate social
responsibility.
A New Approach to Managing Risk
Given the ever-broadening role of technology and the resulting information-related
business risk, we need a new approach to information security built on the concept of
protecting to enable. This approach should
• Incorporate privacy and regulatory compliance by design, taking a
holistic view of information risk. Also, because all companies are
moving toward using technology not only for internal operations
but also in products and services, the information security
organization must work closely with other business groups to
understand and manage risk.
• Recognize that people and information, not the enterprise network
boundary, are the security perimeter. Information is no longer
restricted to tightly managed systems within data centers; it now
also resides outside the firewall, on users’ personal devices, and
on the Internet. Managing risk therefore requires a range of new
tools, including user awareness and effective security controls for
personal devices.
• Be dynamic and flexible enough to quickly adapt to new
technologies and threats. A static security model will inevitably
be overtaken by the dynamic nature of threats. We need security
architectures that can rapidly learn and adapt to new devices and
evolving threats, with a high degree of automation.
Above all, we need to accomplish a shift in thinking, adjusting our primary focus
to enabling the business, and then thinking creatively about how we can do so while
managing the risk. Our roles will only increase in importance as technology becomes
even more prevalent. Our ability to protect information security and privacy will be
essential to building the trust that enables our organizations to take advantage of new
digital opportunities.

17© Malcolm W. Harkins 2016
M.W. Harkins, Managing Risk and Information Security,
DOI 10.1007/978-1-4842-1455-8_2
CHAPTER 2
The Misperception of Risk
The moment we want to believe something, we suddenly see all the
arguments for it, and become blind to the arguments against it.
—George Bernard Shaw
One hundred years ago, the “unsinkable” Titanic foundered after striking an iceberg
off the coast of Newfoundland. More than 1,500 people died in what became one of the
deadliest maritime accidents ever. Several factors contributed to this massive death toll,
but perhaps the most critical was that there simply weren’t enough lifeboats. The ship
carried 2,224 people, but fewer than half of them could squeeze into the boats.
As we know, passengers who didn’t get a spot in one of those lifeboats quickly died
in the freezing waters of the North Atlantic. What’s less well known is that the Titanic’s
supply of lifeboats was in full compliance with the British marine regulations in force at
time. The law required the ship to carry 16 lifeboats; the Titanic actually had 20 lifeboats.
The ship’s owners did a good job of providing enough boats to address the regulatory
risk of noncompliance. Unfortunately, meeting regulatory requirements did little to
prevent the tragic loss of life.
This is a case of misperception of risk. The owners focused on mitigating the
regulatory risk, apparently blind to the much larger risk of disaster. They framed the
lifeboat issue as a compliance item that needed to be addressed so that the ship could
start carrying passengers and generating revenue. One could argue that if they had
stepped back and considered the potential consequences for the customers rather than
the company’s short-term priorities, history might have unfolded differently. Reports
suggest that the Titanic had enough capacity to easily add enough lifeboats for everyone
on board, had the owners chosen to do so.
What does this example have to do with managing information risk? We encounter
misperceptions every day within the realm of enterprise risk and security. Every
organization has a greater responsibility than simply complying with regulations. We have
to think about whom is ultimately at risk: the company or the customer? Furthermore,
as I’ll show in this chapter, everyone in the organization has their own priorities and
their own subjective view of risk. Unless we mitigate these misperceptions, they can have
disastrous consequences. As a result, I believe that the misperception of risk is the most
significant vulnerability facing enterprises today.

CHAPTER 2 ■ THE MISPERCEPTION OF RISK
18
The Subjectivity of Risk Perception
As security professionals, we tend to think about objective ways to estimate risk—to
assess the likelihood and extent of harm that can occur due to specific threats and
vulnerabilities.
But in reality, the way people perceive risk has a strong subjective component.
Economic and psychological factors greatly affect how each of us perceives the likelihood
and potential impact of harm from specific actions or situations. Within an organization,
each individual’s perception of risk varies depending on his or her job role, goals,
background, and peer group. This means managers, security professionals, and end users
all may have a different view of the risk associated with a specific technology or action.
Misperceiving risk has serious consequences because our actions are shaped by
our perception of risk. An employee may think that posting personal and work-related
information on a social media site is relatively harmless. However, hackers might use this
publicly available information in phishing e-mails to gain access to enterprise systems via
the employee’s computer, ultimately resulting in detrimental security breaches.
End users are not the only members of the organization who can misperceive risk.
Everyone is capable of misperceiving risk, including risk and security professionals. As
I’ll explain later in this chapter, misperceptions occur at the group level as well as the
individual level. Members of a group may share the same bias in their perception of risk
and benefit.
The decisions that result from these misperceptions can weaken the entire
organization’s security posture. If an organization underestimates a risk, it will
underspend on controls to mitigate that risk, increasing the likelihood and potential
impact of major problems such as data breaches. On the other hand, if the organization
overestimates a risk, it will allocate a disproportionately large share of its security
resources to the risk, leaving other parts of the risk landscape underprotected.
In this chapter, I’ll discuss how and why different people within an organization
misperceive risk, whether they are acting as information technology users, security
professionals, or managerial decision makers. To explore these misperceptions, I’ve drawn
on research across the broader field of risk psychology, notably The Psychology of Risk,
a book by Professor Dame Glynis Breakwell, Vice Chancellor of the University of Bath
(Cambridge University Press 2007). I’ll examine how these ideas about risk perception
apply to information risk and security. I’ll explain some of the consequences of those
misperceptions, and I’ll discuss some of the ways an organization can address them.
How Employees Misperceive Risk
Research shows that if we like an activity, we tend to judge its benefits to be high and its
risk to be low (Slovic 2010). Conversely, if we dislike the activity, we judge it as low-benefit
and high-risk. Because of this, the perception of risk by individuals and groups within an
organization tends to be biased by their preferences, roles, and objectives. Everyone is
trying to achieve their individual or group goals within the organization, so they tend to
see activities and technologies that support those goals as beneficial, and therefore they
tend to underestimate the risk.

CHAPTER 2 ■ THE MISPERCEPTION OF RISK
19
So if employees like social media, their attraction to the technology skews their
perception of benefit and risk. Because they judge the benefit to be high and the risk to be
low, they feel comfortable posting information such as their job title, location, and even
the projects they’re working on. They may even allow sites to capture their location, using
the global positioning system in their cell phone, and display the location in real time.
Unfortunately, these employees may not think about how a malicious individual
could use the information. Today, as we’ve seen, an individual’s use of technology can
harm not only the individual but the entire organization. Attackers exploit publicly
available personal information to craft spearphishing e-mails that are particularly
convincing because they appear to demonstrate a relationship with the recipient, making
the employee more likely to click on a link that downloads malware to the system. From
there, the attack spreads to the rest of the corporate network. In addition, information
posted by individuals is now routinely aggregated, analyzed to identify patterns, and sold,
often to a company’s competitors.
The risk and security team may also misperceive the risk of social media, but in the
opposite direction: they overestimate the risk and underestimate the benefits. They may
not like social media because it creates vulnerabilities, and their perception then drives
them to focus on minimizing the risk by trying to block the use of the technology.
Other psychological factors also come into play in shaping end users’ risk
perception. People in general tend to believe they are personally less likely than others
to experience negative events and more likely to experience positive events, leading to
a sense of personal invulnerability (Breakwell 2007). In addition, users also are more
likely to behave in risky ways if their colleagues do so. “It’s conformity: being seen to be
doing what everybody else is doing,” Breakwell says (pers. comm.). Many social media
sites encourage this conformist tendency; if all your friends are using a social media site,
you’re likely to join the site too because it enables you to see what they are doing and
share information with them more easily.
The likelihood that individuals will behave in ways risky to the organization also
increases when their individual interests don’t align with the company’s. This divergence
is most likely when employees are discontented, resentful, demoralized, or simply don’t
trust IT or the broader organization.
In economic theory, the problem resulting from this lack of alignment is known as a
moral hazard: a situation in which someone behaves differently from the way they would
if they were fully exposed to the risk. A useful moral hazard analogy is renting a car with
full insurance coverage. People are likely to be less careful with the rental car than they
would be with their own car if they’re not responsible for the consequences. The attitude
is “if it’s not mine, it doesn’t matter.”
In the realm of enterprise IT, moral hazards may be a bigger concern than many
appreciate. A Cisco survey (2011a) found that 61 percent of employees felt they were not
responsible for protecting information and devices, believing instead that their IT groups
or IT service providers were accountable. Ominously, 70 percent of these surveyed
employees said they frequently ignored IT policies.
One indicator of the extent of moral hazard within an organization may be how
employees treat company-provided laptops. Higher-than-average loss or damage rates
might suggest employees don’t care about the laptops and may be an indication they
don’t care about other corporate assets either. As I’ll discuss in Chapter 5, I believe
allowing reasonable personal use of laptops can help reduce the risk of moral hazard
because it aligns personal interests with those of the organization.

Managing Risk & Information Security

Managing Risk & Information Security

Recommandé

Recommandé

Contenu connexe

Similaire à Managing Risk & Information Security

Similaire à Managing Risk & Information Security (20)

Plus de Ziaullah Mirza

Plus de Ziaullah Mirza (20)

Dernier

Dernier (17)

Managing Risk & Information Security